]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | #! /bin/sh |
2 | # iproute2 version, default updown script | |
3 | # | |
4 | # Copyright (C) 2003-2004 Nigel Meteringham | |
5 | # Copyright (C) 2003-2004 Tuomo Soini | |
6 | # Copyright (C) 2002-2004 Michael Richardson | |
ef014519 | 7 | # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> |
8b3b4a24 | 8 | # |
997358a6 MW |
9 | # This program is free software; you can redistribute it and/or modify it |
10 | # under the terms of the GNU General Public License as published by the | |
11 | # Free Software Foundation; either version 2 of the License, or (at your | |
12 | # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
8b3b4a24 | 13 | # |
997358a6 MW |
14 | # This program is distributed in the hope that it will be useful, but |
15 | # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
16 | # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
17 | # for more details. | |
997358a6 MW |
18 | |
19 | # CAUTION: Installing a new version of strongSwan will install a new | |
20 | # copy of this script, wiping out any custom changes you make. If | |
21 | # you need changes, make a copy of this under another name, and customize | |
22 | # that, and use the (left/right)updown parameters in ipsec.conf to make | |
23 | # strongSwan use yours instead of this default one. | |
24 | ||
25 | # things that this script gets (from ipsec_pluto(8) man page) | |
26 | # | |
27 | # PLUTO_VERSION | |
28 | # indicates what version of this interface is being | |
29 | # used. This document describes version 1.1. This | |
30 | # is upwardly compatible with version 1.0. | |
31 | # | |
32 | # PLUTO_VERB | |
33 | # specifies the name of the operation to be performed | |
34 | # (prepare-host, prepare-client, up-host, up-client, | |
35 | # down-host, or down-client). If the address family | |
8af25c56 | 36 | # for security gateway to security gateway communica- |
997358a6 MW |
37 | # tions is IPv6, then a suffix of -v6 is added to the |
38 | # verb. | |
39 | # | |
40 | # PLUTO_CONNECTION | |
41 | # is the name of the connection for which we are | |
42 | # routing. | |
43 | # | |
997358a6 MW |
44 | # PLUTO_INTERFACE |
45 | # is the name of the ipsec interface to be used. | |
46 | # | |
47 | # PLUTO_REQID | |
c5d9b133 MW |
48 | # is the requid of the AH|ESP policy |
49 | # | |
50 | # PLUTO_PROTO | |
51 | # is the negotiated IPsec protocol, ah|esp | |
997358a6 | 52 | # |
2ce40343 EH |
53 | # PLUTO_UNIQUEID |
54 | # is the unique identifier of the associated IKE_SA | |
55 | # | |
997358a6 MW |
56 | # PLUTO_ME |
57 | # is the IP address of our host. | |
58 | # | |
59 | # PLUTO_MY_ID | |
60 | # is the ID of our host. | |
61 | # | |
62 | # PLUTO_MY_CLIENT | |
63 | # is the IP address / count of our client subnet. If | |
64 | # the client is just the host, this will be the | |
65 | # host's own IP address / max (where max is 32 for | |
66 | # IPv4 and 128 for IPv6). | |
67 | # | |
997358a6 | 68 | # PLUTO_MY_SOURCEIP |
2df15595 MW |
69 | # PLUTO_MY_SOURCEIP4_$i |
70 | # PLUTO_MY_SOURCEIP6_$i | |
71 | # contains IPv4/IPv6 virtual IP received from a responder, | |
72 | # $i enumerates from 1 to the number of IP per address family. | |
73 | # PLUTO_MY_SOURCEIP is a legacy variable and equals to the first | |
74 | # virtual IP, IPv4 or IPv6. | |
997358a6 MW |
75 | # |
76 | # PLUTO_MY_PROTOCOL | |
77 | # is the IP protocol that will be transported. | |
78 | # | |
79 | # PLUTO_MY_PORT | |
80 | # is the UDP/TCP port to which the IPsec SA is | |
9739a0bf TB |
81 | # restricted on our side. For ICMP/ICMPv6 this contains the |
82 | # message type, and PLUTO_PEER_PORT the message code. | |
997358a6 MW |
83 | # |
84 | # PLUTO_PEER | |
85 | # is the IP address of our peer. | |
86 | # | |
87 | # PLUTO_PEER_ID | |
88 | # is the ID of our peer. | |
89 | # | |
997358a6 | 90 | # PLUTO_PEER_CLIENT |
8af25c56 | 91 | # is the IP address / count of the peer's client sub- |
997358a6 MW |
92 | # net. If the client is just the peer, this will be |
93 | # the peer's own IP address / max (where max is 32 | |
94 | # for IPv4 and 128 for IPv6). | |
95 | # | |
997358a6 MW |
96 | # PLUTO_PEER_PROTOCOL |
97 | # is the IP protocol that will be transported. | |
98 | # | |
99 | # PLUTO_PEER_PORT | |
100 | # is the UDP/TCP port to which the IPsec SA is | |
9739a0bf TB |
101 | # restricted on the peer side. For ICMP/ICMPv6 this contains the |
102 | # message code, and PLUTO_MY_PORT the message type. | |
997358a6 | 103 | # |
16c97c8e AS |
104 | # PLUTO_XAUTH_ID |
105 | # is an optional user ID employed by the XAUTH protocol | |
106 | # | |
107 | # PLUTO_MARK_IN | |
108 | # is an optional XFRM mark set on the inbound IPsec SA | |
109 | # | |
110 | # PLUTO_MARK_OUT | |
111 | # is an optional XFRM mark set on the outbound IPsec SA | |
112 | # | |
6d71f4dc | 113 | # PLUTO_UDP_ENC |
16c97c8e AS |
114 | # contains the remote UDP port in the case of ESP_IN_UDP |
115 | # encapsulation | |
964f6372 | 116 | # |
2b08ae45 MW |
117 | # PLUTO_DNS4_$i |
118 | # PLUTO_DNS6_$i | |
119 | # contains IPv4/IPv6 DNS server attribute received from a | |
120 | # responder, $i enumerates from 1 to the number of servers per | |
121 | # address family. | |
122 | # | |
997358a6 | 123 | |
c2bb1eca | 124 | # define a minimum PATH environment in case it is not set |
b7b56533 | 125 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" |
c2bb1eca AS |
126 | export PATH |
127 | ||
997358a6 MW |
128 | # uncomment to log VPN connections |
129 | VPN_LOGGING=1 | |
130 | # | |
131 | # tag put in front of each log entry: | |
132 | TAG=vpn | |
133 | # | |
134 | # syslog facility and priority used: | |
135 | FAC_PRIO=local0.notice | |
136 | # | |
137 | # to create a special vpn logging file, put the following line into | |
138 | # the syslog configuration file /etc/syslog.conf: | |
139 | # | |
140 | # local0.notice -/var/log/vpn | |
f6f55adb AS |
141 | |
142 | # in order to use source IP routing the Linux kernel options | |
143 | # CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES | |
144 | # must be enabled | |
145 | # | |
146 | # special routing table for sourceip routes | |
b7b56533 | 147 | SOURCEIP_ROUTING_TABLE=@routing_table@ |
997358a6 | 148 | # |
f6f55adb | 149 | # priority of the sourceip routing table |
b7b56533 | 150 | SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@ |
997358a6 MW |
151 | |
152 | # check interface version | |
153 | case "$PLUTO_VERSION" in | |
154 | 1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. | |
155 | echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 | |
156 | echo "$0: called by obsolete Pluto?" >&2 | |
157 | exit 2 | |
158 | ;; | |
159 | 1.*) ;; | |
160 | *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 | |
161 | exit 2 | |
162 | ;; | |
163 | esac | |
164 | ||
165 | # check parameter(s) | |
166 | case "$1:$*" in | |
167 | ':') # no parameters | |
168 | ;; | |
169 | iptables:iptables) # due to (left/right)firewall; for default script only | |
170 | ;; | |
171 | custom:*) # custom parameters (see above CAUTION comment) | |
172 | ;; | |
173 | *) echo "$0: unknown parameters \`$*'" >&2 | |
174 | exit 2 | |
175 | ;; | |
176 | esac | |
177 | ||
178 | # utility functions for route manipulation | |
179 | # Meddling with this stuff should not be necessary and requires great care. | |
180 | uproute() { | |
181 | doroute add | |
182 | ip route flush cache | |
183 | } | |
184 | downroute() { | |
185 | doroute delete | |
186 | ip route flush cache | |
187 | } | |
188 | ||
189 | addsource() { | |
190 | st=0 | |
191 | if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local | |
192 | then | |
193 | it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" | |
194 | oops="`eval $it 2>&1`" | |
195 | st=$? | |
196 | if test " $oops" = " " -a " $st" != " 0" | |
197 | then | |
198 | oops="silent error, exit status $st" | |
199 | fi | |
200 | if test " $oops" != " " -o " $st" != " 0" | |
201 | then | |
202 | echo "$0: addsource \`$it' failed ($oops)" >&2 | |
203 | fi | |
204 | fi | |
205 | return $st | |
206 | } | |
207 | ||
208 | doroute() { | |
209 | st=0 | |
997358a6 MW |
210 | |
211 | if [ -z "$PLUTO_MY_SOURCEIP" ] | |
212 | then | |
14c408ee AS |
213 | for dir in /etc/sysconfig /etc/conf.d; do |
214 | if [ -f "$dir/defaultsource" ] | |
215 | then | |
216 | . "$dir/defaultsource" | |
217 | fi | |
218 | done | |
997358a6 MW |
219 | |
220 | if [ -n "$DEFAULTSOURCE" ] | |
221 | then | |
222 | PLUTO_MY_SOURCEIP=$DEFAULTSOURCE | |
223 | fi | |
224 | fi | |
225 | ||
ef014519 AS |
226 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
227 | then | |
228 | # leave because no route entry is required | |
229 | return $st | |
230 | fi | |
231 | ||
232 | parms1="$PLUTO_PEER_CLIENT" | |
233 | ||
f6f55adb | 234 | if [ -n "$PLUTO_NEXT_HOP" ] |
ef014519 | 235 | then |
f6f55adb | 236 | parms2="via $PLUTO_NEXT_HOP" |
ef014519 | 237 | else |
f6f55adb | 238 | parms2="via $PLUTO_PEER" |
8b3b4a24 | 239 | fi |
ef014519 AS |
240 | parms2="$parms2 dev $PLUTO_INTERFACE" |
241 | ||
997358a6 | 242 | parms3= |
f6f55adb | 243 | if [ -n "$PLUTO_MY_SOURCEIP" ] |
997358a6 | 244 | then |
f6f55adb AS |
245 | if test "$1" = "add" |
246 | then | |
247 | addsource | |
ca694c61 | 248 | if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" |
f6f55adb | 249 | then |
ca694c61 | 250 | ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE |
f6f55adb AS |
251 | fi |
252 | fi | |
ca694c61 | 253 | parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" |
997358a6 MW |
254 | fi |
255 | ||
256 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
257 | "0.0.0.0/0.0.0.0") | |
258 | # opportunistic encryption work around | |
8b3b4a24 | 259 | # need to provide route that eclipses default, without |
997358a6 MW |
260 | # replacing it. |
261 | it="ip route $1 0.0.0.0/1 $parms2 $parms3 && | |
262 | ip route $1 128.0.0.0/1 $parms2 $parms3" | |
263 | ;; | |
ef014519 | 264 | *) it="ip route $1 $parms1 $parms2 $parms3" |
997358a6 MW |
265 | ;; |
266 | esac | |
267 | oops="`eval $it 2>&1`" | |
268 | st=$? | |
269 | if test " $oops" = " " -a " $st" != " 0" | |
270 | then | |
271 | oops="silent error, exit status $st" | |
272 | fi | |
273 | if test " $oops" != " " -o " $st" != " 0" | |
274 | then | |
275 | echo "$0: doroute \`$it' failed ($oops)" >&2 | |
276 | fi | |
277 | return $st | |
278 | } | |
8b3b4a24 MW |
279 | |
280 | # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY | |
997358a6 MW |
281 | if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] |
282 | then | |
ef014519 | 283 | KLIPS=1 |
997358a6 MW |
284 | IPSEC_POLICY_IN="" |
285 | IPSEC_POLICY_OUT="" | |
286 | else | |
ef014519 | 287 | KLIPS= |
48175958 | 288 | IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" |
997358a6 MW |
289 | IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" |
290 | IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" | |
291 | fi | |
292 | ||
4c185d11 TB |
293 | # use protocol specific options to set ports |
294 | case "$PLUTO_MY_PROTOCOL" in | |
295 | 1) # ICMP | |
296 | ICMP_TYPE_OPTION="--icmp-type" | |
297 | ;; | |
298 | 58) # ICMPv6 | |
299 | ICMP_TYPE_OPTION="--icmpv6-type" | |
300 | ;; | |
301 | *) | |
302 | ;; | |
303 | esac | |
304 | ||
997358a6 MW |
305 | # are there port numbers? |
306 | if [ "$PLUTO_MY_PORT" != 0 ] | |
307 | then | |
4c185d11 TB |
308 | if [ -n "$ICMP_TYPE_OPTION" ] |
309 | then | |
310 | S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
311 | D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" | |
312 | else | |
313 | S_MY_PORT="--sport $PLUTO_MY_PORT" | |
314 | D_MY_PORT="--dport $PLUTO_MY_PORT" | |
315 | fi | |
997358a6 MW |
316 | fi |
317 | if [ "$PLUTO_PEER_PORT" != 0 ] | |
318 | then | |
4c185d11 TB |
319 | if [ -n "$ICMP_TYPE_OPTION" ] |
320 | then | |
321 | # the syntax is --icmp[v6]-type type[/code], so add it to the existing option | |
322 | S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" | |
323 | D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" | |
324 | else | |
325 | S_PEER_PORT="--sport $PLUTO_PEER_PORT" | |
326 | D_PEER_PORT="--dport $PLUTO_PEER_PORT" | |
327 | fi | |
997358a6 MW |
328 | fi |
329 | ||
bb7b613b AS |
330 | # resolve octal escape sequences |
331 | PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` | |
332 | PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` | |
333 | ||
997358a6 MW |
334 | # the big choice |
335 | case "$PLUTO_VERB:$1" in | |
336 | prepare-host:*|prepare-client:*) | |
7a1f49c3 AS |
337 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
338 | then | |
339 | # exit because no route will be added, | |
340 | # so that existing routes can stay | |
341 | exit 0 | |
342 | fi | |
343 | ||
997358a6 MW |
344 | # delete possibly-existing route (preliminary to adding a route) |
345 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
346 | "0.0.0.0/0.0.0.0") | |
8b3b4a24 | 347 | # need to provide route that eclipses default, without |
997358a6 MW |
348 | # replacing it. |
349 | parms1="0.0.0.0/1" | |
350 | parms2="128.0.0.0/1" | |
351 | it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" | |
352 | oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" | |
353 | ;; | |
354 | *) | |
355 | parms="$PLUTO_PEER_CLIENT" | |
356 | it="ip route delete $parms 2>&1" | |
357 | oops="`ip route delete $parms 2>&1`" | |
358 | ;; | |
359 | esac | |
360 | status="$?" | |
361 | if test " $oops" = " " -a " $status" != " 0" | |
362 | then | |
363 | oops="silent error, exit status $status" | |
364 | fi | |
365 | case "$oops" in | |
8b3b4a24 | 366 | *'RTNETLINK answers: No such process'*) |
997358a6 MW |
367 | # This is what route (currently -- not documented!) gives |
368 | # for "could not find such a route". | |
369 | oops= | |
370 | status=0 | |
371 | ;; | |
372 | esac | |
373 | if test " $oops" != " " -o " $status" != " 0" | |
374 | then | |
375 | echo "$0: \`$it' failed ($oops)" >&2 | |
376 | fi | |
377 | exit $status | |
378 | ;; | |
379 | route-host:*|route-client:*) | |
380 | # connection to me or my client subnet being routed | |
381 | uproute | |
382 | ;; | |
383 | unroute-host:*|unroute-client:*) | |
384 | # connection to me or my client subnet being unrouted | |
385 | downroute | |
386 | ;; | |
387 | up-host:) | |
388 | # connection to me coming up | |
389 | # If you are doing a custom version, firewall commands go here. | |
390 | ;; | |
391 | down-host:) | |
392 | # connection to me going down | |
393 | # If you are doing a custom version, firewall commands go here. | |
394 | ;; | |
395 | up-client:) | |
396 | # connection to my client subnet coming up | |
397 | # If you are doing a custom version, firewall commands go here. | |
398 | ;; | |
399 | down-client:) | |
400 | # connection to my client subnet going down | |
401 | # If you are doing a custom version, firewall commands go here. | |
402 | ;; | |
403 | up-host:iptables) | |
404 | # connection to me, with (left/right)firewall=yes, coming up | |
405 | # This is used only by the default updown script, not by your custom | |
406 | # ones, so do not mess with it; see CAUTION comment up at top. | |
407 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 408 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
409 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
410 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
411 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 412 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
413 | # |
414 | # log IPsec host connection setup | |
415 | if [ $VPN_LOGGING ] | |
416 | then | |
bb7b613b | 417 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
418 | then |
419 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 420 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
421 | else |
422 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 423 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 | 424 | fi |
8b3b4a24 | 425 | fi |
997358a6 MW |
426 | ;; |
427 | down-host:iptables) | |
428 | # connection to me, with (left/right)firewall=yes, going down | |
429 | # This is used only by the default updown script, not by your custom | |
430 | # ones, so do not mess with it; see CAUTION comment up at top. | |
431 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 432 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
433 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
434 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
435 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 436 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
437 | # |
438 | # log IPsec host connection teardown | |
439 | if [ $VPN_LOGGING ] | |
440 | then | |
bb7b613b | 441 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
442 | then |
443 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 444 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
445 | else |
446 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 447 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
448 | fi |
449 | fi | |
450 | ;; | |
451 | up-client:iptables) | |
452 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
453 | # This is used only by the default updown script, not by your custom | |
454 | # ones, so do not mess with it; see CAUTION comment up at top. | |
455 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
456 | then | |
457 | iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
458 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
459 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 | 460 | iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
b14a8768 AS |
461 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
462 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 MW |
463 | fi |
464 | # | |
465 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
466 | # or sometimes host access via the internal IP is needed | |
467 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
468 | then | |
469 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
470 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
471 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 | 472 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
b14a8768 AS |
473 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
474 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 MW |
475 | fi |
476 | # | |
477 | # log IPsec client connection setup | |
478 | if [ $VPN_LOGGING ] | |
479 | then | |
bb7b613b | 480 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
481 | then |
482 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 483 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
484 | else |
485 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 486 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
487 | fi |
488 | fi | |
489 | ;; | |
490 | down-client:iptables) | |
491 | # connection to client subnet, with (left/right)firewall=yes, going down | |
492 | # This is used only by the default updown script, not by your custom | |
493 | # ones, so do not mess with it; see CAUTION comment up at top. | |
494 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
495 | then | |
496 | iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
497 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
498 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
499 | $IPSEC_POLICY_OUT -j ACCEPT |
500 | iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
501 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
502 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
503 | $IPSEC_POLICY_IN -j ACCEPT |
504 | fi | |
505 | # | |
506 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
507 | # or sometimes host access via the internal IP is needed | |
508 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
509 | then | |
510 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
511 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
512 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
513 | $IPSEC_POLICY_IN -j ACCEPT |
514 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
515 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
516 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
517 | $IPSEC_POLICY_OUT -j ACCEPT |
518 | fi | |
519 | # | |
520 | # log IPsec client connection teardown | |
521 | if [ $VPN_LOGGING ] | |
522 | then | |
bb7b613b | 523 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
524 | then |
525 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 526 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
527 | else |
528 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 529 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
530 | fi |
531 | fi | |
532 | ;; | |
533 | # | |
534 | # IPv6 | |
535 | # | |
536 | prepare-host-v6:*|prepare-client-v6:*) | |
537 | ;; | |
538 | route-host-v6:*|route-client-v6:*) | |
539 | # connection to me or my client subnet being routed | |
540 | #uproute_v6 | |
541 | ;; | |
542 | unroute-host-v6:*|unroute-client-v6:*) | |
543 | # connection to me or my client subnet being unrouted | |
544 | #downroute_v6 | |
545 | ;; | |
b14a8768 | 546 | up-host-v6:) |
997358a6 MW |
547 | # connection to me coming up |
548 | # If you are doing a custom version, firewall commands go here. | |
549 | ;; | |
b14a8768 | 550 | down-host-v6:) |
997358a6 MW |
551 | # connection to me going down |
552 | # If you are doing a custom version, firewall commands go here. | |
553 | ;; | |
b14a8768 | 554 | up-client-v6:) |
997358a6 MW |
555 | # connection to my client subnet coming up |
556 | # If you are doing a custom version, firewall commands go here. | |
557 | ;; | |
b14a8768 | 558 | down-client-v6:) |
997358a6 MW |
559 | # connection to my client subnet going down |
560 | # If you are doing a custom version, firewall commands go here. | |
561 | ;; | |
b14a8768 AS |
562 | up-host-v6:iptables) |
563 | # connection to me, with (left/right)firewall=yes, coming up | |
564 | # This is used only by the default updown script, not by your custom | |
565 | # ones, so do not mess with it; see CAUTION comment up at top. | |
566 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
567 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
568 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
569 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
570 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
571 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
572 | # | |
573 | # log IPsec host connection setup | |
574 | if [ $VPN_LOGGING ] | |
575 | then | |
bb7b613b | 576 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
577 | then |
578 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 579 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
580 | else |
581 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 582 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 | 583 | fi |
8b3b4a24 | 584 | fi |
b14a8768 AS |
585 | ;; |
586 | down-host-v6:iptables) | |
587 | # connection to me, with (left/right)firewall=yes, going down | |
588 | # This is used only by the default updown script, not by your custom | |
589 | # ones, so do not mess with it; see CAUTION comment up at top. | |
590 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
591 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
592 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
593 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
594 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
595 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
596 | # | |
597 | # log IPsec host connection teardown | |
598 | if [ $VPN_LOGGING ] | |
599 | then | |
bb7b613b | 600 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
601 | then |
602 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 603 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
604 | else |
605 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 606 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
607 | fi |
608 | fi | |
609 | ;; | |
610 | up-client-v6:iptables) | |
611 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
612 | # This is used only by the default updown script, not by your custom | |
613 | # ones, so do not mess with it; see CAUTION comment up at top. | |
614 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
615 | then | |
616 | ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
617 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
618 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
619 | ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
620 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
621 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
622 | fi | |
623 | # | |
624 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
625 | # or sometimes host access via the internal IP is needed | |
626 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
627 | then | |
628 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
629 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
630 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
631 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
632 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
633 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
634 | fi | |
635 | # | |
636 | # log IPsec client connection setup | |
637 | if [ $VPN_LOGGING ] | |
638 | then | |
bb7b613b | 639 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
640 | then |
641 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 642 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
643 | else |
644 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 645 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
646 | fi |
647 | fi | |
648 | ;; | |
649 | down-client-v6:iptables) | |
650 | # connection to client subnet, with (left/right)firewall=yes, going down | |
651 | # This is used only by the default updown script, not by your custom | |
652 | # ones, so do not mess with it; see CAUTION comment up at top. | |
653 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
654 | then | |
655 | ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
656 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
657 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
658 | $IPSEC_POLICY_OUT -j ACCEPT | |
659 | ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
660 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
661 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
662 | $IPSEC_POLICY_IN -j ACCEPT | |
663 | fi | |
664 | # | |
665 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
666 | # or sometimes host access via the internal IP is needed | |
667 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
668 | then | |
669 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
670 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
671 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
672 | $IPSEC_POLICY_IN -j ACCEPT | |
673 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
674 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
675 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
676 | $IPSEC_POLICY_OUT -j ACCEPT | |
677 | fi | |
678 | # | |
679 | # log IPsec client connection teardown | |
680 | if [ $VPN_LOGGING ] | |
681 | then | |
bb7b613b | 682 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
683 | then |
684 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 685 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
686 | else |
687 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 688 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
689 | fi |
690 | fi | |
691 | ;; | |
997358a6 MW |
692 | *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 |
693 | exit 1 | |
694 | ;; | |
695 | esac |